Splunk Search

Discussions

Thread Info

How do i reference columns that have been displayed as a result of previous chart command

I have done a chart command --> chart count over "Survey Month" by "Survey Type" and the result displays the two surv...

by New Member in

Extract fields from JSON array

We are moving log from AWS infrastructure to Splunk index via SQS service, but somehow JSON formatted logs breaking w...

by New Member in

Remove events from search that match comma-separated text input

Running Splunk Enterprise 7.3 I am using a text input box to get a list of values from the user to exclude from my se...

by Explorer in

Creating multiple fields by extracting values from single field

Hi, I have a field name Family. This field contain names of husband and wife in below Figure 1 format: All...

by Builder in

How to create a subsearch with multiple results?

Hi, I've a question about sub search, I'm probably misunderstanding docs and other posts. This is my search: ...

by New Member in

Percentage on field summary values

Hello, I am trying to do percentage on fieldsummary values , following is the query and results for the query - in...

by Explorer in

incremental part count per hour

hi! in my current project, I have to create an area map where it shows the number of parts per hour, I was able to di...

by Communicator in

How to find earliest time a string appeared in a value?

I have a field named "example", I want to find the first time that the first log that contained the word "hello". Ho...

by New Member in

How to create a search for Splunk alerts for duplicate events?

I am trying to create a splunk alert for duplicate data and would like some help in creating the splunk search. The d...

by Explorer in

Help with regex in transforms

Hi, I'm hoping that someone can help me with a regex. Here's the source data: <OTHERFIELD>some values</OTHE...

by Champion in

Trouble with rex exceeding match limit

I'm trying to extract a field with the result of an API from a log, either containing "success" or "success.notfound"...

by New Member in

Distance between two Geocoordinates

I'm trying to find the distance between two geo coordinates and am looking for help with the search syntax.Here's wha...

by New Member in

Increasing Time Range hides Data

Hey y'all, So I am seeing a very unique and strange behavior from Splunk. I noticed an issue where a Splunk search...

by Explorer in

How to get field names from log header and removing said header?

I have a log glf log file that I need to get some info out of the heads to format the log data, but other than that, ...

by Contributor in

How to use eval to do simple conversion?

Wow, I can't believe this is kicking my butt -- think I need an idiot check... (yes, I know...  I'm trying to do...

by Contributor in

How to find the duration between two EventCode for Windows Log.

Hello Everyone, I want to calculate the downtime for a particular server based on the difference between two Event...

by Loves-to-Learn in

Need to add Date/Time in report

I have following record in my log - 2019-06-13 10:59:56,664 INFO [FileUploadWebScript] [http-apr-8983-exec-5] The ...

by Path Finder in

Add standalone Indexer to Search Head cluster which already have a Indexer cluster

Hi SPlunkers, I have a multisite search head cluster TWO SH's SH1 ( SITE1 ) and SH2 ( SITE2 ) AND I have mul...

by Engager in

How to create a chart for status value

Hi, I'm new to Splunk and I've created a table with the following headers: Hardware-Name, Environment, Portfolio, ...

by Explorer in

How to make subsearch use same time range, same index, same sourcetype as outer search?

So I specify an outer query, it usually starts like this: earliest=06/14/2019:13:00:00 latest=06/14/2019:14:00:00 ...

by Explorer in

Search query for syslog in dashboard

Hey all, Am in a need of dashboard to see my syslog traffic for four arista switches as mentioned below: AA-UKD...

by Explorer in

Does wildcard sourcetypes in props.conf still work for version 7.0.1?

Hi, I know it should be possible to use wildcard sourcetypes in props.conf using a some regex magic, as explained ...

by Builder in

How do I find values that exist in two different indexes for a particular field?

I'm essentially looking to compare my index field values against an index that has known-bad field values to determin...

by New Member in

regex not working

https://regex101.com/r/PNYxi2/2 not working in splunk. Error in 'rex' command: Encountered the following error ...

by Contributor in

Search to detect auditing service on any disabled critical system that stopped or restarted more than once in the past 7 days.

Hello Splunkers, I'm new to Splunk. I am trying my best to learn Splunk and to write an efficient search. I have c...

by Explorer in

Get Updates on the Splunk Community!

Splunk Search

Discussions

How do i reference columns that have been displayed as a result of previous chart command

Extract fields from JSON array

Remove events from search that match comma-separated text input

Creating multiple fields by extracting values from single field

How to create a subsearch with multiple results?

Percentage on field summary values

incremental part count per hour

How to find earliest time a string appeared in a value?

How to create a search for Splunk alerts for duplicate events?

Help with regex in transforms

Trouble with rex exceeding match limit

Distance between two Geocoordinates

Increasing Time Range hides Data

How to get field names from log header and removing said header?

How to use eval to do simple conversion?

How to find the duration between two EventCode for Windows Log.

Need to add Date/Time in report

Add standalone Indexer to Search Head cluster which already have a Indexer cluster

How to create a chart for status value

How to make subsearch use same time range, same index, same sourcetype as outer search?

Search query for syslog in dashboard

Does wildcard sourcetypes in props.conf still work for version 7.0.1?

How do I find values that exist in two different indexes for a particular field?

regex not working

Search to detect auditing service on any disabled critical system that stopped or restarted more than once in the past 7 days.

.conf25 Global Broadcast: Don’t Miss a Moment

Observe and Secure All Apps with Splunk

What's New in Splunk Observability - August 2025

Help me with splunk query to monitor CPU and Memor...

How can i export a list of all services in APM

Splunk Answers Content Calendar May 2025!

MLTKC how should i check jupyter notebook func in ...

ITSI thresholds: adaptive vs static

Splunk Search

Are you a member of the Splunk Community?

Discussions